[FX.php List] [OFF] Strange SSL cert occurrences...

Leo R. Lundgren leo at finalresort.org
Mon Jan 12 10:53:17 MST 2009


I think that the first encountered certificate is used, due to the  
simple reason that in order to use a specific certificate based on  
what virtual host is requested, the server needs to look at the Host:  
HTTP header of the transmission, and since encrypting the whole  
transmission (including the HTTP headers) is what the certificate is  
meant to do, it's just an endless loop that doesn't work (for name- 
based virtual hosts, port-based ones should be different but that's  
not very useful for you unless you proxy the traffic). That's why the  
first cert is used.

To accomodate the need we're moving towards TLS with HTTP, so that a  
HTTP connection can be set up and then "upgraded" to an encrypted  
channel post-initial-headers and pre-sending-data-that-needs-to-be- 
secure. However I dunno how far that work has gotten (I think it's  
good in "open" browsers, but IE and what not lags behind as usual).

Here's a snippet from http://en.wikipedia.org/wiki/Https:

> Because SSL operates below HTTP and has no knowledge of higher- 
> level protocols, SSL servers can only strictly present one  
> certificate for a particular IP/port combination.[3] This means  
> that, in most cases, it is not feasible to use name-based virtual  
> hosting with HTTPS. RFC-3546 TLS Extensions describes a solution  
> called Server Name Indication (SNI), although many older browsers  
> don't support this extension. Support for SNI is available since  
> Firefox 2.0, Opera 8, Mozilla 1.8, and Internet Explorer 7 on  
> Windows Vista.



11 jan 2009 kl. 19.14 skrev Longterm Solutions:

> Here's my latest conundrum with setting up this new site:
>
> I have a global SSL cert on all of my web servers, that clients can  
> use on their sites. It is pointed to the root of the web server's  
> documents folder, rather than a specific site folder, so that  
> anyone on the server can invoke it by configuring their URL  
> properly. Works great, been doing this for years...
>
> However, my new client wanted his own SSL cert so that the domain  
> name at the top wouldn't ever change while someone was on the site.  
> So I installed his new cert, and it worked perfectly...
>
> But it stopped the *other* cert from working. So I changed the  
> order of the sites, putting the "global" cert listing at the top of  
> the list, and again the global cert works properly.
>
> It seems that, since the "global" cert is global to the whole  
> webserver folder, that it somehow takes precedence over the site- 
> specific one.
>
> I'm using virtual hosting, as I've done for 12 years; when someone  
> puts in a domain name, the web server takes them to the appropriate  
> folder, based on the domain name.
>
> But what is happening is this: someone types in this other domain  
> name (the one which has its own cert), and although they get to the  
> appropriate site folder, the web server invokes the other certificate.
>
> So, I took a static IP address (I have a block of 60) that I wasn't  
> using, assigned it to the "global" domain name, which is  
> ssl3.longtermsolutions.com, and everything started working perfectly.
>
> It *seems* that when you use virtual hosting, the domain name that  
> has its own cert will for some strange reason "default" to the  
> global cert, even though it's been assigned its own cert. Then,  
> when the two domain names are separated by IP, it all cleans up.
>
> What a pain...
>
> Bob Patin
> Longterm Solutions LLC
> bob at longtermsolutions.com
> 615-333-6858
> http://www.longtermsolutions.com
> Twitter: bobpatin
> iChat/AIM: bobpatin
> FileMaker 9 Certified Developer
> Member of FileMaker Business Alliance & TechNet
> --------------------------
> FileMaker hosting and consulting for all versions of FileMaker
> PHP • Full email services • Free DNS hosting • Colocation • Consulting
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list


-|



More information about the FX.php_List mailing list